You’ve probably received a dozen emails in the past few weeks from companies letting you know that they’ve updated their privacy policies and terms of service. The impetus for this is the General Data Protection Regulation (GDPR) -- an EU regulation that seeks to protect the privacy of individuals -- which comes into effect on May 25.
Why is this important?
The new regulation means organizations (private, public, and non-profit) have to reconsider the ways in which they collect, store, use, and disseminate personally identifiable information (PII). GDPR also uses a very broad definition of PII: it’s not just names and email addresses, but also any information that can be used to identify a person, either directly or indirectly. So if you collect information disaggregated by age, village, and ethnicity, that may constitute PII.
And while the regulation may not immediately impact a US-based, US-funded organization that works primarily in Malawi, for example, it does represent a paradigm shift in the way the world is thinking about personal data. GDPR gives EU residents control over their own data, and after May 25, organizations that work with EU residents will have to make sure that users know, understand, and consent to the data that’s being collected about them.
Laws like this are fast coming into effect around the world (if they’re not already in place), and this is a good time for organizations to conduct a data audit, take stock of what information they store and collect, determine whether it’s necessary to retain this information, and document how they're protecting sensitive data like health records, sexual orientation, gender identity, and political and religious affiliation.
What does that mean in practice?
DevResults is working hard to ensure that it’s easy for you to comply with GDPR. There are plenty of resources out there on steps organizations should take to comply, but here’s a brief breakdown of the two most important new practices to put into place and how DevResults will make it as easy as possible to do so:
1. The right to be informed and consent:
Individuals should be informed when their data is collected (and be able to opt out), understand why it’s being collected, who else might receive it, and what their rights are if they wish to access this data.
There’s a lot of debate on what exactly that means in the development field, but organizations should put into place guidelines and best practices that their staff will use when collecting personal data. We will provide a brief summary that organizations can use to describe to beneficiaries how data is stored in DevResults. We’ll also update our data table design down the road so you can capture whether or not consent is needed for a particular field (and whether it’s been received).
2. Data accountability and transparency:
Individuals can see the personal data collected/stored about them, ask to correct that information if it’s inaccurate or incomplete, and ask for it to be erased if there’s no compelling reason for continued storage and use of that data.
We already make it easy for you to filter and search data tables for information relating to individuals and to update this information as needed. We’ve also made several internal changes to help you comply with any requests made by users for their data to be erased.
What steps are we taking?
- We’ll send out a contract addendum with information on the data we collect and store.
- We’ll update our privacy statement and security statement.
- We are getting certified under the EU-US Privacy Shield which will allow us to transfer personal data from the EU to the U.S. (where our servers are).
- We’ll include a section on data protection in our trainings.
- We’ll reach out to get explicit consent from all our users.
- We’ll work on maximizing data protection down the road, including helping you anonymize your data in-app.
We’ll keep working toward GDPR compliance and will go above and beyond the regulations to keep your data secure. As we get closer to May 25th, we’ll also:
- Host an event on May 23rd with SurveyCTO and Sonjara. SurveyCTO has put together a GDPR postcard detailing the steps they’re taking, and Sonjara has a responsible data guideline you can refer to.
- Put together tips directed specifically at the international development community, including resources to help you audit your data, free or cheap tools to help you protect data, etc.
- Update you regularly, either on our blog or in our release notes, with any changes we’re making to the system or to our services.
We’re excited about GDPR and what it means for data security and privacy around the world. If you have any tips you’d like to share, or any questions for us on our efforts towards GDPR compliance, please share them in the comments below, or feel free to reach out to me directly.